Fix identity for aws_secrets_manager_resolver
Related: gitlab#557976 (closed)
Documentation update: gitlab#542366 (closed)
What does this MR do?
When aws_role_arn isn’t set, it should fall back to the default AWS credentials, see aws_secrets_management documentation
Why was this MR needed?
To fix the runner aws_secrets_manager_resolver when aws_role_arn is not specified.
What's the best way to test this MR?
- Install the GitLab Runner with the applied fix.
- Ensure your self-hosted GitLab instance is version 18.2 or higher.
- Create the
app-secrets/databasesecret in AWS Secrets Manager and a fieldpassword. - Provision an IAM role and assign it to your GitLab Runner instance.
- Set up a test project using the
.gitlab-ci.ymlfile provided below:
variables:
AWS_REGION: us-east-1
fetch-password-via-aws-cli:
stage: test
script:
- echo "Fetching DB password using aws cli from Secrets Manager..."
- 'export SECRET_JSON=$(aws secretsmanager get-secret-value --secret-id app-secrets/database --region "$AWS_REGION" --query SecretString --output text)'
- 'export DATABASE_PASSWORD=$(echo "$SECRET_JSON" | jq -r ".password")'
- 'echo "Password: $DATABASE_PASSWORD"'
database-migration:
secrets:
DATABASE_PASSWORD:
aws_secrets_manager:
secret_id: app-secrets/database
field: 'password'
file: false
stage: deploy
script:
- 'echo "DB PASSWORD"'
- 'echo "$DATABASE_PASSWORD"'The first scenario, fetch-password-via-aws-cli, should succeed in all cases — with or without the fix.
The second scenario, database-migration, should succeed only after updating the runner with the fix.
What are the relevant issue numbers?
Edited by Dmytro Biryukov